DNS Spoofing: What is it and how to prevent it?

IT Security seems to be a never-ending battle between the white hats and the black hats. The white hats devise a way of blocking malware, the black hats devise new varieties of malware to get around the new defences.

And it’s not just new variants on existing threats, it is new threats themselves and new delivery vectors for threats. We now have malware embedded in email attachments, steganography hiding them in photographs and videos, phishing attacks becoming more and more common and irritating. IT Security is no longer just setting up anti-malware software and devices and making sure the detection files are up to date.

What is DNS Spoofing?

Users rely on thinking that when they click on a web link in an email or browser window, that they are being directed to a legitimate website. Instead, because of malware, they could go to either a hijacked website or somewhere totally different. This is often accomplished by a process called DNS Spoofing.

So, what is DNS Spoofing (also commonly called DNS Poisoning) and how do you protect against it?

The first thing to understand is that DNS is needed to convert the natural language version of a site name to the actual IP address where the site can be found. For example, www.fred.com is 123.456.789.012.

When you type www.fred.com into your browser, your device asks for that translation. The answer could come from the device itself, or a local network or Internet-based DNS server. Usually, there is a local network based DNS server for corporate systems, and a domestic user will use one provided by their ISP.

Simply put, a DNS server is a dictionary that holds records that provides a name to IP address translation service.

While there are large numbers of DNS servers attached to the Internet, your PC, smart device or corporate DNS server creates local records of the relationship between names and addresses for the sites you commonly visit. This cuts down network traffic and speeds up the process. Obviously, if there is no local record, an Internet-based server provides the information.

DNS Spoofing is where the IP Address corresponding to a site name is compromised and the user ends up at a different site from the one they intended to visit. It can be accomplished by compromising the local records, by compromising the DNS server itself, or by redirecting the user to a different DNS server that contains tainted records.

To summarise, DNS Spoofing describes a wide range of different types of attacks that aim to compromise DNS information. The purpose can either be to simply cause mischief or direct the user to the attacker’s website to download malware or steal information.

In the first case of compromising local information, commonly called DNS Cache Poisoning, locally cached records are replaced by bogus records. A larger scale version is to poison DNS server records. Because DNS servers talk to each other to make sure that their information is complete and up to date, that bogus entry can very quickly spread around the world with potentially disastrous effects.

It has happened. In 2010, an ISP mistakenly used Chinese DNS servers to update their local DNS servers. At that time, the Great Firewall of China was operating, blocking access to some sites, particularly news and social media. When the local DNS servers updated themselves with the Chinese information, local access to those sites was also blocked. Other DNS servers updated their records from the ISP’s DNS server and the blocking quickly spread, affecting millions of users across the world, particularly the US. In effect, a large-scale DNS Poisoning attack.

How to Prevent DNS Spoofing?

There is no easy way to stop this. It is extremely difficult to tell if the results of a DNS request are legitimate or not. A new process using public-key cryptography called DNSSEC offers some hope. The basic idea is that an organisation supplying the DNS information to the DNS Server signs the DNS record. It will then become clear if the DNS information has been compromised because in a compromised record the key will be incorrect. The United States Department of Defence has mandated that all MIL and GOV domains must begin using DNSSEC.

If your network is part of a secure network, look for ways to avoid using external DNS. For example, have a corporately maintained hosts file for Windows machines used by all local devices and don’t use Internet-based DNS servers.

Use an Intrusion detection system.

Use DNSSEC.

To wrap up, DNS in some form or another is vital to the correct operation of the Internet. With care, you can void DNS spoofing.